Although Brazilian hotels are the primary targets of the new campaign, the activity has also extended to Spanish-speaking countries, including Argentina, Bolivia, Chile, Costa Rica, Mexico, and Spain. Earlier another campaign from the same actor was discovered targeting users in Russia, Belarus, Turkey, Malaysia, Italy and Egypt.<\/p>\n
The threat actor uses phishing emails disguised as requests for reservation, urging recipients to review the attached documents. The website link in the documents lure the user to install a Remote Access Trojan (RAT) allowing to issue commands which control compromised systems and steal sensitive data. The messages are typically sent to email addresses associated with hotel reservations. In recent cases, however, the theme has shifted to fake job applications, where attackers send CVs in an attempt to exploit potential vacancies at targeted hotels. For payload delivery, the attackers leverage legitimate hosting services, often registering Portuguese-themed domain names.<\/p>\n
PowerShell downloaders, a tactic consistent with the group\u2019s attack patterns. VenomRAT is distributed on dark web resources, with a lifetime license costing up to $650. It extends the functionality of QuasarRAT, offering features such as HVNC hidden desktop, file and credential theft, reverse proxy, and UAC exploit. Analysis shows that many of the newly created initial infectors by RevengeHotels include code likely produced using AI.<\/p>\n \u201cAlthough the actor\u2019s style is still recognizable, this campaign shows some new features: a large part of the initial infector and downloader code appears to be generated using Large Language Model (LLM) agents. This highlights a growing trend of threat actors leveraging AI to expand and evolve their capabilities, which has also been observed in other cybercriminal groups<\/em>,\u201d comments Lisandro Ubiedo, senior security expert at Kaspersky\u2019s Global Research and Analysis Team.<\/p>\n Kaspersky products detect these threats as HEUR:Trojan-Downloader.Script.Agent.gen, HEUR:Trojan.Win32.Generic, HEUR:Trojan.MSIL.Agent.gen, Trojan-Downloader.PowerShell.Agent.ady, Trojan.PowerShell.Agent.aqx.<\/p>\n![\"Example](\"https:\/\/content.kaspersky-labs.com\/fm\/press-releases\/6f\/6f2ea9c1fb08a3618286e29a5ec3e507\/processed\/revengehotels-graphics-q93.png\")
Example of a phishing email about reservation confirmation<\/em><\/p>\n